Federal Network Cybersecurity

The new EO reiterates policy established in the Federal Information Security Management Act (FISMA) that agency heads are responsible for managing risks to IT at their agencies. However, it goes further and establishes policy that the executive branch will manage cybersecurity risks as a single entity as a matter of national security.

The EO directs agencies to use the "Framework for Improving Critical Infrastructure Cybersecurity," otherwise known as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (Framework), to manage the agencies' cybersecurity risks. The previous Administration did not explicitly direct agencies to follow the Framework, but used it to develop the metrics that CIOs and inspectors general continue to use to assess their agencies' progress in securing IT. NIST published a draft reportshortly after the release of the EO to assist agencies in implementing the EO and applying the Framework to their systems. The Framework also identifies NIST Special Publications that federal agencies use to inform the security of their networks as references for the private sector to use in developing their cybersecurity risk management procedures.

To address agency cybersecurity as a national security issue, the EO directs agencies to evaluate risks to their systems (to include budgetary and system vulnerabilities) and report them to the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB). DHS and OMB in turn are directed to work with agencies to identify insufficiencies and develop a plan to mitigate cybersecurity risks to the federal enterprise as a whole. The EO does not discuss whether or not DHS's authority to issue binding operational directives to other agencies should be considered as part of that plan.

Concerning IT modernization, the EO directs agency heads to procure shared services and the American Technology Council to report on considerations relevant to IT consolidation such as technical concerns and costs of moving to the cloud. These efforts are similar to the previous Administration's "cloud first" policy and the "Modernizing Government Technology Act of 2017" (MGT Act, H.R. 2227), recently passed by the House.

Critical Infrastructure Cybersecurity

Section 9 of EO 13636 directed DHS to identify critical infrastructure entities where a cybersecurity incident could result in a catastrophic impact, which DHS defines as billions of dollars in damages, thousands of fatalities, or a degradation of national security. EO 13636 prioritized expedited security clearances for these critical infrastructure entities. The EO required agencies to identify new ways for the government to support these entities. The number of entities identified as part of the Section 9 designation is expected to increase regardless of government action, because new investments in infrastructure and growth in the interconnectedness of that infrastructure will increase dependency.

EO 13800 newly requires the government to collaborate with public and private sector stakeholders in a process to identify ways to reduce threats caused by botnets and to encourage voluntary action by the private sector to both improve the resilience of the Internet and mitigate botnet attacks.

National Cybersecurity

The EO states that the policy of the Executive branch is to "promote an open, interoperable, reliable, and secure Internet ... while respecting privacy and guarding against disruption, fraud and theft." It also recognizes the public and private sector workforce as vital to achieving the policy goal.

The National Cybersecurity Enhancement Act directs NIST to coordinate cybersecurity awareness and education and to evaluate future cybersecurity workforce needs for both the public and private sector, including recruitment and retention issues. The EO reiterates these responsibilities and seeks further government collaboration on these efforts.

There are additional requirements for national cybersecurity. The EO recognizes U.S. dependency on a global Internet and requires the identification of priorities and engagement strategies which may build upon a recent Department of State international strategy, as required by the Cybersecurity Act of 2015. The 2017 NDAA requires a report on deterring adversaries in cyberspace and the EO requires a similar report. The EO requires the government to examine the cybersecurity workforce developments of other countries with a focus on those which may affect the U.S.'s competitiveness, and to examine national-security-related cyber capabilities. Although not focused on national security capabilities, recent government strategies and plans concerning research and development have addressed some of these capabilities.

Deliverables

Table 1 outlines the deliverables included in the EO. The reports may be classified in full or in part, and required to be made available to the President. However, aside from one exception, noted below, none of the reports is required to be made available to the public or Congress.

Table 1. Table of Deliverables from Cybersecurity Executive Order 13800

Deliverable

Due Date

Agencies

Notes

Report on International Priorities

June 25, 2017

DOS, Treasury, DOD, DHS DOJ, FBI

Report on Findings from a Review of Foreign Cybersecurity Workforce Practices

July 10, 2017

DOC, DHS, DOD, DOL, Ed, OPM

This review will focus on practices that will likely affect the U.S.'s long-term cybersecurity competiveness.

Report on Agency Risk Management and Mitigation

August 9, 2017

Individual agencies

Individual agency reports to DHS and OMB.

Report on Modernizing Federal IT

August 9, 2017

American Technology Council, NIST

This report is to include recommendations to transitioning to shared services, such as cloud computing.

Report on Marketplace Transparency

August 9, 2017

DHS, DOC

Assessment of Cyber Incident Response to the Electric Sector

August 9, 2017

DOE, DHS, DNI, state and local governments

Report on Cybersecurity Risks to the Defense Industrial Base

August 9, 2017

DOD, DHS, FBI, DNI

Report on Cybersecurity Deterrence Options

August 9, 2017

DOS, Treasury, DOD, DOJ, DOC, DHS, U.S. Trade Representative, DNI

Report on Engagement Strategy for International Cooperation

September 23, 2017

DOS, Treasury, DOD, DOC, DHS, DOJ, FBI,

Report on Federal Risk Management and Mitigation

October 8, 2017

OMB, DHS, DOC, GSA

Report on Modernizing National Security Systems

October 8, 2017

DOD, DNI

Report on Growing and Sustaining the Cybersecurity Workforce of the Public and Private Sectors